<?php
/*
	Aurus CMS - free OOP CMS
	Copyright (C) 2010  Nestor Yanchuk

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 2 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/
if (!defined('ROOT')) die();
/**
 * Клас для забезпечення безпеки
 * 
 * @package Aurus
 * @author Kvis
 * @copyright 2010
 * @version 1.0
 * @access public
 */
class Security {
	/**
	 * Фільтрація і очистка вхідних даних
	 * 
	 * @return void
	 */
	public static function cleanInData() {
		//"magic" quotes...з'являються коли їх не чекають, справжня магія...
		//Треба позбутись магії...
		if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
			array_map('stripslashes', $_POST);
			array_map('stripslashes', $_GET);
			array_map('stripslashes', $_COOKIE);
			array_map('stripslashes', $_REQUEST);
		}

		//Спроба вимкнути register_globals
		if (boolean(ini_get('register_globals'))) {
			try {
				foreach ($_REQUEST as $key => $val) {
					global ${$key};
					${$key} = null;
				}
			} catch (AurusException $e) {}
		}
		//Відслідковуємо XSS атаки//
		if (isset($_SERVER['QUERY_STRING'])) {
			$request = self::decodeCharCode(strtolower(urldecode(html_entity_decode($_SERVER['QUERY_STRING']))));
			if ((strpos($request, '<') !== false) || (strpos($request, '>') !== false) || (strpos($request, './') !== false) || (strpos($request, '../') !== false) || (strpos($request, '.php') !== false) || (strpos($request, '.phtml') !== false)) {
				Aurus::location(LINK_ROOT);
			}
		}
		if (isset($_SERVER['REQUEST_URI'])) {
			$request = strtolower(urldecode(html_entity_decode($_SERVER['REQUEST_URI'])));
			if ((strpos($request, '<') !== false) || (strpos($request, '>') !== false) || (strpos($request, './') !== false) || (strpos($request, '../') !== false)) {
				Aurus::location(LINK_ROOT);
			}
		}
	}
	/**
	 * Очищення посилання від XSS атак.
	 * 
	 * @param string $url - посилання
	 * @return string - очищене посилання
	 */
	public static function cleanXSSUrl($url) {
		$url = self::decodeCharCode(trim(strtolower($url)));
		$url = str_replace(array(ord(0), ord(9), ord(10), ord(13), ' ', "'", '"', ';', '<', '>', './'), '', $url);

		$b = array('javascript:', 'behaviour:', 'vbscript:', 'mocha:', 'livescript:');

		foreach ($b as $ii) {
			if (strpos($url, $ii)) return '';
		}
		return $url;
	}
	/**
	 * @ignore
	 */
	protected static function decodeCharCode($source) {
		$source = preg_replace('/&#(\d+);/me', "chr(\\1)", $source);
		$source = preg_replace('/&#x([a-f0-9]+);/mei', "chr(0x\\1)", $source);
		return $source;
	}
}
